March 2009 Archives

In what appears to be an interesting security first, a DNS blacklist organization has discovered a botnet that resides on about 100,000 Linux-based routers and DSL modems.

The ultimate problem, it seems, comes down to unpatched router firmware and default passwords. Botnets and most malware take advantage of users who fail to keep things up to date. The twist here, however, is that this code isn't targeting users who forgot to turn on Windows Update, but rather users who are not keeping their router firmware updated and those who don't change the default passwords on these devices.

I guess we shouldn't be surprised. Most users don't take basic security measures on their PCs. Why should we expect them to give a second thought to their routers? Still, the potential for malicious botnet activity from unsecured routers is probably quite substantial. Expect to see a lot more of it in the future.

This interesting article (from a Sophos study) noted that, regarding Internet website passwords:

Almost half [of survey respondents] admitted to using a few different passwords, and 33 percent fessed up to using the same password all the time.

Only 19% claimed to use a different password for each website. My guess is that a more widespread or scientifically conducted study would actually show a higher percentage of users in the same-password-for-all-sites category.

I am not surprised. Just like everyone else, I am tired of trying to come up with new, strong passwords and then remember them. This is especially tricky given the large numbers of sites that we typically register for but rarely visit.

There is, of course, some risk here for the web users and the website owners. But there is an even deeper risk here for corporate security. I suspect that many folks are equally lazy with their corporate network and application passwords. Am I making too big a leap here? I don't think so.

When I first started getting into security and reading up on how hackers and crackers break into systems and networks, I expected to see all kinds of really clever exploits. And, to be sure, there are some very clever exploits out there. But I was struck by how the simplest, most common, and often most effective methods of security breaches are password hacks. Brute force and/or dictionary based attacks on weak passwords still manage to get the job done.

So what do security architects and officers have to do to address this age old issue? It should be no surprise that good policies are a great place to start. But making password complexity rules too hard or setting very short expiration periods can be counter-productive (witness the user with passwords on sticky notes all over his monitor).

Smart cards and similar devices are a good step. Education and training must be a part of the process as well. As a netForensics employee, I'd also be remiss if I didn't point out the importance of monitoring and correlating your security events for signs of exploitation on accounts with weak passwords.

None of this is new or shocking, but it is still relevant and important.

In an incident that received fairly wide industry press coverage, it was recent discovered that Google Documents allowed those viewing a user's shared files to view other documents that were not specifically shared. Details can be found here, among other places. The situation has now apparently been resolved.

The incident did not affect a large percentage of the files stored on Google Documents ("less than 0.5% of all [Google] documents"), but the ultimate impact may end up exceeding the seemingly minor proximate impact.

Google is trying to build a business model based on "cloud computing," i.e. the idea that data and applications do not need to reside on PCs, but that they should be based "in the cloud." There are clearly advantages to cloud computing. As an early adopter and proponent of Gmail, I haven't use a local software mail client for my personal email in years. I can access my data from anywhere that has Internet access and from any web-enabled platform. People, for the most part, believe in cloud computing for email.

Documents, however, are something else. Almost everyone still clings to a local copy of MS Office, Open Office, or some other software-based suite for word processing, spreadsheets, simple databases, and presentations. Google is fighting an uphill battle here to convince people that the advantages of working with documents in the cloud outweigh the risks and disadvantages.

Google still has a lot of goodwill capital in the eyes of the computing masses. People trust Google more than they trust, e.g., Microsoft. If Google said that cloud computing offers real advantages and can be secure, then people are willing to believe it. Now, however, as nearly every blogger that covered this story has pointed out, people will start to question the security of cloud computing in a significant way.

What will the next Google Documents security breach look like? Should I store any sensitive information up there? Maybe I trust Google not to read my documents, but do I trust them to make sure that others don't read them?

The Register reported today there is a serous flaw in eBay's web site implementation that allows third party functionality of style sheets. Cefn Hollie reported this to eBay last week. Ebay has removed the fraudulent listing from their site. However, "the only way to effectively protect users from such attacks is to white-list filter a set number of CSS functions deemed to be safe and to block everything else. That may be patently obvious to some, but if eBay has only now gotten around to implementing such measures, it's a good bet plenty of other websites are still wide open to this attack. Which means we wouldn't be surprised to see more attacks like these coming to a Web 2.0 site near you."

This is not just an Internet explorer issue, Firefox and other browsers are open to these type of attacks. Bill Sisk Microsoft's Security Response Manager said, "The nature of these attacks is not new and website operators commonly have protections in place to mitigate against such attacks."

Read more at: http://www.theregister.co.uk/2009/03/08/ebay_scam_wizardy/

Most folks in the security business realize that peer-to-peer (P2P) file sharing exposes organizations to certain risks. Because P2P applications are often used to share pirated media such as music and movies, it is all too easy to underestimate the nature of those risks. The impact of P2P file sharing can easily extend beyond resource consumption, viruses, and threat of litigation from the entertainment industry.

Two examples of serious information breaches through P2P file sharing have recently been publicized. In the first case, blueprints of the presidential helicopter Marine One were accessible through P2P file sharing on the computer of a defense contractor. Other sources indicate that this data had been shared as far as Iran and other hostile nations. This is particularly surprising not only due to the highly sensitive nature of the information but also due to the fact that defense contractors are typically required to adhere to stringent security policies.

The second case involves a Dartmouth College finding that turned up a treasure trove of health related information from many sources over a handful of popular P2P sharing networks. This information included highly sensitive patient records, pre-signed prescription forms, social security numbers, and patient billing information. The impact to HIPAA compliance is obvious, but real world exploitation of this data is potentially even more serious.

It goes without saying that sensitive information must be secured. We often focus on outsider threats, but peer-to-peer file sharing can be a trojan horse that can originate with a non-malicious insider. The implications of this vulnerability can be much greater than might seem obvious.